About Employee Supervision and Access

Employee supervision determines who a supervisor can access and what he or she can do.

Who can be accessed is determined by an organization unit. Organization units work as containers of accessible employees. This selection can be further narrowed only to certain positions.

What can be done is determined by an access role. Roles specify what data can be viewed and what operations can be performed, e.g., authorization, approval, cancellation, deletion.

Supervision can be granted in different ways:

• Access role assignment - access rights are determined by an access role and given over all members of selected organization units.
• Supervising Position Assignment - access roles can be assigned to a position instead of an employee. As a result, everyone who holds the position receives relevant access roles. However, additional configuration is required. Supervision is granted only over members of relevant organization units who hold a position defined as one subordinate to the supervisor.
• Position Access Assignment - works just like supervising position assignment, except only position access is assigned instead of a position.
• Becoming and HR administrator - usually reserved for a few selected people, it gives access to everything and everyone in HR.

Technical Information:

Access control is based on Logical Units, which are pieces of programming code devoted to a specific application area, e.g., travel expenses, time authorization, benefits administration. Access management allows you to protect employee data related to the selected logical unit (e.g. travel expenses, training and development, time and attendance, schedules and rules).

Access management is divided into 3 layers built on top of each other:

• Access Attribute - closest to the application's core, attributes determine what logical units are protected, what data operations are allowed (registration, modification, removal), what key columns are affected, and what values can be entered (e.g., approved; authorized). Attributes can set a lock that prevents anyone with a lower access level from overriding changes made by someone who uses the attribute.
  This layer is intended for advanced users.
• Access Role - roles work as containers for access attributes. Each role is filled with relevant access attributes and can be later assigned to someone, bestowing all attributes on that person.
  Roles have a special "power level" which determines the strength of an attribute access lock mentioned earlier. It means that if an attribute sets an access lock, the role determines lock's strength.
• Position Access - just as access attributes are grouped under access roles, access roles can be grouped under positions. This way, when a position or position access is assigned, all relevant access roles will be received. However, access bestowed by positions works only on employees who hold subordinate positions. Subordinate positions have to be defined for each supervising position.